Ahmad Shahwaiz
Reputation: 1512
In Android, How to secure api keys on client side even when device is rooted?
How do we secure api keys on rooted device?
As you know we cant trust the client what we can do is make things difficult for the hacker. Following are some of the points which I know to secure keys
- Using NDK (store key in your C class and get it in kotlin class on runtime) - Even if device is rooted or decompiled hacker can't access it.
- Using Android Key Chain (stores key in the hardware device and without device integrity, certificate, no one can access it. It is stored in a separate place from your application. Not sure what happens if we decompile the app).
- Secure Shared Preference. (Even if we encrypt the file, it can still be access on rooted device, one might can figure the decrypt algorithm after check the code)
- Secure Shared Preference and Proguard/ Dexguard? (Still not a good idea to store the encrypted key publicly available under app package when device is rooted.)
- If we just encrypt the file? (again it will be under app package folder, can be accessed.)
What can be other options?
Upvotes: 0
Views: 1369
Answers (1)
tyczj
Reputation: 74066
Have a look at the Jetpack Security Library where you can encrypt files or shared preferences.
However a good rule of thumb is if you dont want things from your app to be accessed then you should not store them locally
Upvotes: 0
Related Questions
- Use NDK/JNI to keep secret keys in Android with high security
- How to securely store a hardcoded API key on Android?
- secure native methods and api-key in android using ndk
- Securing API key using NDK
- Securing API key in Android
- How to secure secret keys in Android App?
- How to hide API Keys in Android
- Best practices of making RSA/AES keys password protected in android app
- How to store secretkey in Android securely?
- How to keep third party 'Keys' secure in Android app